Home > Enterprise Mobility Management > Deployment Guides > Education Deployment Guide and Best Practices

Education Deployment Guide and Best Practices


Meraki Systems Manager is an industry leading cloud EMM (Enterprise Mobility Management) platform that can be used for managing mobile devices across all types of education deployments. This document reviews recommended best practices and outlines steps required to configure Meraki Systems Manager using the Meraki Dashboard for education deployments.

Deployment Considerations

Please consider the following when rolling out your mobile deployments:

  • What kinds of devices do you have? (iOS, Android, Windows, macOS, etc)
  • How many devices do you have, and how many do you expect to get on your network over the next 18-36 months?
  • Who owns the devices? (Student owned, school owned)
  • What is the deployment model for your devices? (e.g. 1:1 student:device, shared iPad carts, lab)?
  • What do students and teachers need to do on these devices? (e.g. use apps in the classroom, check email, work on assignments.)
  • How heavily do you want to restrict certain types of behavior (e.g. camera usage, installation of apps)?
  • Are you integrating with Apple School Manager, or using the Apple Classroom app?
  • What is your device provisioning strategy? Do you use Apple’s Device Enrollment Program (DEP) and/or Apple’s Volume Purchase Program (VPP)? Do you need to distribute apps and/or app licenses?
  • Do you plan to license applications to individual users, or directly to the devices? 
  • Do you have Active Directory service for student/staff login management? 

Decisions on the above criteria will drive your Meraki Systems Manager configuration. The following sections talk about generic use-cases and deployment methodologies. Please contact Meraki sales if you have further questions. 

Core Concepts

There are a few key concepts in Systems Manager, and it is helpful to understand them before setting up anything in your network. Thinking about these things beforehand will make your initial deployment and ongoing management much simpler. 

Access Rights

The first of these items is access rights. By default, Systems Manager will grant administrators the maximum amount of control available when applied to enrolled devices. However, in bring-your-own-device (BYOD) environments, device owners may not want administrators having this level of control. 

Systems Manager can be customized to meet the needs of different deployment models by changing the permissions of what can be retrieved from or sent to the device. It is important to note that Access Rights must be set before devices are enrolled; changes made after enrollment will only take effect if a device is reenrolled.   

Systems Manager > MDM > Add devices


For a comprehensive guide to tags, please visit the following documentation article: Using Tags in Systems Manager.

Tags are used to group devices within Systems Manager. These tags are used to define the apps, controls, and settings provisioned by Systems Manager.

There are two main types of tags: static and dynamic.

  • Static tags are generally applied manually to individual devices by the administrator.
  • Dynamic tags are applied automatically, and can change depending on certain factors. 

When tags are applied at the owner level, SM relies on a user database to manage these tags.  This database can also be used to authenticate a device owner upon enrollment, which provides an extra layer of security. Authentication can be done via Active Directory integration, or using Meraki hosted owners/accounts (see SM Enrollment Authentication for more information). When a user authenticates on a device, their owner groups or AD groups will automatically be applied as tags to devices they own. This is one example of dynamic tags. 

Dynamic tags can also be applied based on time of day (schedule), physical location (geofence), or security posture.  These policy-based tags are automatically applied to devices based on their state. For more information on these types of tags, please refer to the documentation below:

In addition, tags are used to scope or group devices, and apply profiles and push content accordingly. Scoping can be done with boolean logic which allows highly granular application of functionality to a device. The example below shows scoping for an App, but the same method would be used to scope other things, like profiles.

  • If you want this app to be available to all devices of the type selected (iOS or Android), then from the scope drop down select ‘All devices’
  • If you want this app to be available for a select group of devices, then select the option ‘with ALL of the following tags’ as shown below.




Before devices can be managed within Systems Manager, they have to be enrolled in your EMM network. There are different types of enrollment that can be used to meet the needs of different device types or deployment models. For example, while the simplicity of a fully automated enrollment is ideal, this method does not suit BYOD deployments, and isn’t compatible with all devices. 

SM Enrollment Authentication

As mentioned previously, to provide an extra layer of security regarding which devices are able to enroll in Systems Manager, you can require authentication upon enrollment. Authentication is compatible with all types of enrollment, and there are additional benefits beyond security. First, enrollment authentication ties an owner to a device automatically. Second, enrollment authentication ties a user’s groups (either LDAP or Meraki Managed) to all of their devices as dynamic tags, for automatic grouping.

Authenticating prior to SM enrollment

Fully Automated Enrollment

With fully automated enrollment, a device will be enrolled into Systems Manager automatically, and can be configured so the user has no option to cancel or prevent the enrollment. In addition to this, the device will automatically have apps, controls and settings provisioned based on the person using the device (device owner) with no direct user or administrator configuration required.

This type of enrollment allows for the highest levels of EMM control, and is only possible with iOS and macOS devices that are eligible for Apple’s Device Enrollment Program (DEP). Automated enrollment can reduce the administrative cost of deploying devices significantly, with the benefits increasing with the numbers of devices being deployed. 

With DEP, devices can be directed by Apple to install Systems Manager when the user first opens the box and powers on the device. This eliminates all pre-staging and the need for Apple Configurator.

Partially Automated Enrollment

Partially automated enrollment supports a wider range of devices (for example iOS devices which are not enrolled in DEP) and can be completed by the end user or by an administrator pre-staging the device.

As with automated enrollment, two core functions are performed: The installation of the Systems Manager profile, app, or agent to the device, and the configuration of apps, settings, and controls. 

The installation of the Systems Manager components can be performed by a user or the administrator by visiting http://m.meraki.com and following the instructions. To reduce the administrative workload, this can be done by the device user. 

Meraki wireless products can be integrated with Systems Manager, to simplify and automate this process for the end user. This feature, called Systems Manager Sentry enrollment, checks all connecting devices and forces the clients to go through the on-boarding process through http://m.meraki.com if it detects that they don’t have Systems Manager installed.

Wireless > Configure > Access control

Integration with a user database and owner assignment can be accomplished without DEP or User Authentication. It is a more manual process without authentication, but it does allow mixed device types to be assigned to a user. 

Systems Manager > Configure > Owners > User account

Manual Enrollment

With manual enrollment, the widest range of devices can be supported as there isn’t a reliance on vendor or platform specific features. This type of enrollment is often suitable for BYOD environments. Installation of the Systems Manager components can be performed by a user or the administrator by visiting http://m.meraki.com and following the instructions. Manual enrollment doesn’t require a user database, and tags used to configure devices can be assigned by the administrator in the Meraki dashboard.

When a user visits http://m.meraki.com in this configuration they will be asked to enter a network number:

Entering the unique Systems Manager network ID
This number allows the on boarding process to know which Systems Manager network the device should be joined to. The network ID and distribution options (email, SMS, or QR code for the end-user) can be found in Dashboard:



Dashboard > MDM > Add devices > On-device setup


Systems Manager > MDM > Add devices > Other options

App Management

App management scopes which applications will be added to which devices, and installs them accordingly. Native (built-in) applications on devices provide functionality for managing everyday activities - like e-mail, calendars, contacts, and web browsing. For increased productivity and functionality on top of native applications on devices, there are hundreds of thousands of third-party apps that are available in the Apple App Store and the Google Play Store, as well as applications for Windows and macOS devices.

There are several ways to distribute apps and apps licenses to devices, as well as options to scope your devices in the Meraki Dashboard. The following sections will go over suggestions and examples for grouping devices and distributing apps in the Meraki Dashboard.

Adding Apps in Dashboard

There are several considerations for distributing applications based on the device, and type of application. For mobile devices, there are public apps, like those found in the App Store and Google Play store, and there are private apps, like custom or enterprise iOS and Android apps. 

To add applications to your Meraki Dashboard, navigate to Systems manager > MDM > Apps.  Next, click the Add new button, on the far right hand side, as shown below, and choose the appropriate app type:

Systems Manager > MDM > Apps

Assigning VPP Licenses for use with Apple App Store Apps

With Apple’s Volume Purchasing Program (VPP) it is possible to bulk purchase licenses for iOS  and macOS applications. This is particularly useful in education where groups of students or staff will all need the same application. 

With a configured VPP account, the applications that you have purchased are displayed in the Meraki dashboard. This single view makes it easy to keep track of all of your apps and how many licenses have been assigned.

Systems Manager > MDM > VPP

Systems Manager supports and fully integrates with all of Apple's methods of deploying VPP apps - managed distribution and redeemable codes. With managed distribution, users are invited to receive VPP apps through their Apple ID. This license can be revoked at any point, and transferred to another user. Thus, the distributing organization retains full ownership and control of purchased VPP apps. With iOS 9, Apple released the ability to assign apps to devices using serial numbers, thereby eliminating the need to have an Apple ID on the device, or manage VPP users. 

Systems Manager > MDM > Apps 

For more information about deploying VPP licenses to iOS devices, please view the following article on Deploying VPP Apps.

Apple School Manager and Classroom

For information on configuring ASM for use with the Apple Classroom app through Systems Manager, please visit our full guide here.  


In an educational environment it is often necessary to limit the availability of some of features, or configure others. These can be restrictions, like disabling the camera, or other settings, like Wi-Fi or AirPlay. Restrictions or settings can be collected together into a profile, and devices can have multiple profiles applied to them. 

Multiple profiles allow granular device restrictions and simple management

Applying restrictions or settings to a device with Systems Manager works in the same way as other functions of Systems Manager - tags are used to scope which devices get which features. This allows for a highly granular or a hierarchical approach to applying restrictions to devices. In an education environment, you may want to create base or global profiles that apply to a larger group of devices, like “Student” or “Staff”, then more specific profiles targeted at smaller groups, like “5th Grade” or “Science”. This eliminates the need for administrators to maintain global or base settings in multiple profiles for each device use case. This profile can then be updated in the future and all associated devices will automatically update. If a device receives multiple profiles where the policies have conflicting settings, the more restrictive settings apply.

Systems Manager > MDM > Profiles > Add New

Assigning a profile to devices in Dashboard uses the same scoping method as discussed earlier. Profiles can be scoped to static or dynamic tags. Dynamic tags reduce the work required to manage a large number of devices, while also providing automated control. For example, if a device is not physically at school, then it can have the school restrictions removed for home use through the Geofencing feature. Further information on Geofencing is available here.

For further detail on how to configure profiles please visit the following documentation article here.


The restrictions that are available vary by device platform, where iOS has the most options for feature restrictions.  An example of a global school policy that could be implemented on all devices is the restriction of the use of the camera. This restriction could be included in an organization-wide profile applied to all student devices:

Systems Manager > MDM > Settings > Restrictions

When iOS devices are supervised (either through DEP or Apple Configurator), additional restrictions become available. Supervision offers greater control of the device. Single App Mode is a good example of a more restrictive control.

Dashboard > MDM > Settings > Restrictions

In Single App Mode, the iOS device can be restricted to allow only one app to be used on the device. This locks down the device and prevents any other activity from being performed. 

This functionality is also available for Samsung KNOX capable Android devices using the ‘Kiosk Mode’ feature from Systems Manager > MDM > Settings > Samsung KNOX.


Along with restrictions, profiles can contain a variety of settings. The following categories of settings are available:

  • Passcode
  • WiFi
  • VPN
  • ActiveSync
  • Web Clips
  • Wallpaper
  • Home Screen Layout
  • Managed App Settings
  • Managed Domains
  • Apple Classroom
  • Per-app VPN
  • Notification settings
  • Credentials
  • Backpack
  • Privacy
  • AirPlay
  • Samsung KNOX
  • macOS Systems Preferences and FileVault
  • Android specific restrictions

This document will not cover all of the settings available but will provide examples of how some of these settings can be used in an education environment. For further information about all the possible settings and how they can be used, please refer to our documentation here.


Systems Manager can provision the WiFi and network settings of a device in two ways: Manually, or automatic with an existing Meraki wireless network. In a manual configuration, the relevant information for the connection is manually entered. This would include information such as the SSID, selection of the security settings, certificate, pre-shared key, etc.

Alternatively, when a Meraki Wireless Network exists in the same organization as Systems Manager, this information can be automatically imported. By choosing “Sentry” in the interface, the necessary information is injected into the settings:

Dashboard > MDM > Settings > WiFi


With AirPlay configuration in Systems Manager, devices can be pre-provisioned with the connection details for AirPlay devices. This can be a great way to secure Apple TV and other AirPlay resources from students, while ensuring that teacher’s devices have all the information required to connect. This allows teachers to spend more time running the class and less time finding the right device to connect to and inputting the appropriate password.

Dashboard > MDM > Settings > AirPlay

Systems Manager can also be customized to only list specific AirPlay devices, allowing for restricted student access to these resources.


The Backpack feature in Systems Manager allows content to be delivered to devices automatically. This ensures that when the class starts students will already have the content they need, so the teacher doesn't need to wait for them to download it. 


Dashboard > MDM > Settings > Backpack

Class or grade-specific content can be sent to devices based on how that particular device is being used. Backpack can be used to deliver items like homework, lesson plans, study guides, or handbooks. For further detail on how to configure backpack, please visit the following documentation article here.

In-Class Management

The Teacher’s Assistant functionality within Systems Manager allows you to give restricted administrative access to users, like teachers, to better utilize technology within the classroom. Teacher’s Assistant is built on limited access roles, which allows you to give an administrator access to specific devices only, based on tags. The tags can be any of the static or dynamic tags used in dashboard. For example, you could give access to iOS devices, with a “student” and “science” tag, during 3rd period. 

Teacher’s Assistant gives educators the ability to manage student devices while in the classroom. They can do things like clear passcodes, initiate airplay, lock devices into single app mode for the duration of an exercise, and distribute backpack documents. 


This guide is meant to provide guidance on a small selection of features and functionality within Systems Manager, and is not a comprehensive guide to every education deployment or use case. It is highly recommended that a list of user profiles and requirements are developed prior to deployment. This way, parameters can be iteratively adjusted to meet different use cases, based on real world experience. 

You must to post a comment.
Last modified
15:25, 13 Jul 2017


This page has no custom tags.


This page has no classifications.

Article ID

ID: 4897

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case